Very nice by You at Mikrotik! It opened up a really nice feature! Thanks!!!!

Also, you can use ICMP with custom packet size and you can ping (ping -l for Windows or ping -s for linux) from any OS without installing extra software. Packet size to ping should be packet size - 28 bytes (IP Header + ICMP Header).

The timeout isn't very clear in the firewall GUI (web and Winbox), by default you can just choose "non dynamic" or "non static". Because of this video I've learned that you can also use any times you like. Thanks.

Very thanksful Eng Druvis..! 🌹🙏

Please do a new series of videos about vlans. Each episode should start of selecting devices to method, theory about that method, example configuration for Access/Tagged/Hybrid and Trunk - those on one device only, and how use those vlans on /ip/address to reach them, how use that method with bonding and Q&Q. I hope you can stop this series on 6 episodes bcs I know at least 6 way of creating vlans and each should be shorter then 1h. I hope you clear all stuff about VLAN on MikroTik by that videos, I wait for that video series. Remember, Hybrid port are for wifi AccessPoint very very important.

Nice! Please consider adding Single Packet Authorization (fwknop) instead of the archaic port knocking method.

Nice presentation. Thanks

Love the video! Would love to see what you were talking about towards the end regarding a passphrase on top of this great trick! Love the contrast as always you all are incredible!

did that some years ago. works pretty good btw. druvis seems to be quite a fast typer ;)

Instead of configuring port ranges to secure the knocking you can use this line before to block port scanners add action=drop chain=input comment="dropping port scanners" in-interface-list=WAN src-address-list=\ "port scanners" add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input \ comment="Port scanners to list " in-interface-list=WAN log=yes log-prefix=scanner protocol=tcp \ psd=21,3s,3,1

Please do cover the passphrase thing in a coming video. Thank you :)

Well... that looks like nice thing.

In general I fail to see the need for port knocking now that MT has wireguard built-in. Druvis, when is port knocking useful (better option than wireguard)???

👏👏👏

Interesting. But you know what? Your (I suppose bash) `for` loop at 10:00 has in fact single item, which was interpreted as list in single `nmap` command.

Hey Druvis, the "low" part of "allow" is prounced like "loud" without the end "d" sound.

Knock, Knock, Who's there ? cAP ax

Why not put this in prerouting of mangle?

knock knock, who's there? isis

666. Lol, Druvis.

Wrote this .bat script to protect my ports. Works only with windows: @echo off set target_ip=11.22.33.44 set /a PacketSize1=111 set /a PacketSize2=222 set /a PacketSize3=333 set ip=%target_ip% set /a size1=%PacketSize1%-28 set /a size2=%PacketSize2%-28 set /a size3=%PacketSize3%-28 set info=IP is: %ip%, ICMP size: %size1%, %size2%, %size3%; echo %info% CLS ping %ip% -l %size1% -n 2 CLS ping %ip% -l %size2% -n 2 CLS ping %ip% -l %size3% -n 2 CLS @echo off REM 2 sec hold ping -n 2 localhost>nul exit

fool consol use